"The real problem is not whether machines think but whether men do." – B.F. Skinner

In the U.S., safety and security almost always take a back seat behind commerce. This historical principle is in evidence in almost any field. Unfortunately, numerous examples of this – disasters all – have been documented in fields as diverse as infrastructure – dams, bridges, traditional and nuclear power; travel — automobile, rail, and air travel; building codes, pharmaceuticals, children’s toys, and of course, the Internet.

The moderating advances in the safety and security fields within the disciplines of science, law, and social policy inevitably lag behind the technological innovation and first-to-market principles that have traditionally driven the US money engine.

Take the matter of 19th-century steamboat boiler explosions.

At the time, steam travel was miraculous – a technology that was a quantum leap past riding by horse or barge. It, like the Internet, gained instant – almost magical — popularity. The promise was rapid (well, faster) transport to distant locations of both people and commercial freight. But these wonders came with a price.

Steam boiler explosions.

Big ones that killed thousands of people per incident. In fact, the worst maritime disaster in US history – worse than the loss of the dreadnought, Arizona, at Pearl Harbor – occurred when at least three of the SS Sultana’s four boilers exploded near Memphis, TN in the spring of 1865.

More than 1800 people perished. Consider for a moment the scope of this single, almost forgotten, calamity (and it was one of many). If you were to scale the numbers of dead in the Sultana accident to 2011 population numbers, you would come up with approximately 18,000 dead in that one accident.

In the Sultana’s case, operator error – driving the boilers above their rated pressures – may have been the root cause of the catastrophe. However, in general, high-pressure steam engine designs, first introduced in the U.S. in the early 1800s, had, over time, increased the internal pressure of boilers almost 20-fold. Boiler design safety and the strength of the material used to build boilers had not kept pace.

What do steamboat explosions have to with Information Security?

Good question. It allows me to introduce what I refer to as The Sultana Axiom: “Operator error is inevitable when humans interact with technology.”

A corollary of this is that “As any technology becomes more complex, the resulting errors will become more frequent and more catastrophic.”

The point is: History proves that Faith-Based Security (hoping that your organization or country does not become a victim) does not work. From a strategic PoV, we must anticipate that cyber catastrophes will occur with some regularity, and we must plan accordingly. I believe that this means diverting funding and attention from high-probability, low-impact attacks to low-probability, high-impact attacks -- to focus our efforts on detection and remediation, and on criminally punishing attackers.

Incidentally, steam boiler explosions were not all accidental. During the Civil War, Southern agents devised a weapon that eerily foreshadows the more common types of malware seen on the Internet today. The agents designed and built a forge that would crank out hollow, irregular spheres that resembled chunks of coal. They would fill these coal torpedoes with gunpowder – creating a disguised bomb, which they called a "Coal Torpedo."

Confederate spies would then infiltrate enemy lines and place coal torpedoes in the coal piles used to fuel Union steamships and locomotives. These hidden bombs, when shoveled into the fires that heated the steam boilers, would explode; destroying or disabling the affected vehicle and creating random havoc behind the Union lines. This Trojan Horse tactic for introducing malware on unsuspecting users’ computers and smartphones is still a major attack vector today.

The Internet, like steam-powered travel, is a technological breakthrough that has changed the world. It also faces similar growing pains. Still in the process of evolving from a decentralized, semi-codified, set of almost mystical agreements between network owners (carriers) with each other; and between network owners, corporate, governmental, organizational, and individual users, it provides a convenient -- almost magical -- means to communicate, to entertain, and to move monies rapidly. And most importantly, the Internet, at some point, became a cornerstone of the national infrastructure of the developed world.

The goal of any information security program is to map and enforce data access to the individuals or groups who are authorized to access those data and to restrict others from doing so. It’s all about controlling access to data. As a security administrator you can’t afford to mess this up even one time, because once the data’s gone, it’s gone.

On the contemporary Internet, reconnaissance and attack are almost always automated. This causes the battle to be ubiquitous and relentless: it takes place every hour of every day of the year.

The concept of trust – once taken for granted – is still a fundamental component of the Internet, but this trust is no longer assumed. Instead, a variety of processes, protocols, and technologies have been bolted on to the existing IP network to enforce trust. Experience has shown us that this trust apparatus works, at best, some of the time.

Add into this mix the Sultana axiom: the inevitable gap between new technologies and their cognate legal/policy updates. These are three of the many reasons I believe that the digital security battle can never be won by the good guys by relying primarily upon technological fixes.